CVE-2025-62428
8.8
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
Summary
Drawing-Captcha APP provides interactive, engaging verification for Web-Based Applications. The vulnerability is a Host Header Injection in the /register and /confirm-email endpoints. It allows an attacker to manipulate the Host header in HTTP requests to generate malicious email confirmation links. These links can redirect users to attacker-controlled domains. This vulnerability affects all users relying on email confirmation for account registration or verification. This vulnerability is fixed in 1.2.5-alpha-patch.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Drawing-Captcha | Drawing-Captcha-APP | < 1.2.5-alpha-patch | affected |
Weaknesses
- CWE-601: CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: total
Additional References
References
- https://github.com/Drawing-Captcha/Drawing-Captcha-APP/security/advisories/GHSA-5pj8-fc6g-vv7m
- https://github.com/Drawing-Captcha/Drawing-Captcha-APP/issues/30
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.